Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to get a count by error text?

tkasim
New Member
‎01-11-2016 09:25 PM

Hi everyone,

I am trying to do the following in Splunk, but it's not working:

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(search, "%error1%"),"error1",
like(search, "%error2%"),"error2"
) | chart count by Description

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

tkasim
New Member
‎01-11-2016 10:10 PM

Hi Renjith

the "search" keyword is not a field. I actually want to search the resultset for those errors...
I am not sure how to point to the resultset. I have zero experience with splunk so please excuse the novice question.

I also tried "rawtext" that too didn't work.

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(rawtext, "%error1%"),"error1",
like(rawtext, "%error2%"),"error2"
) | chart count by Description

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 06:15 PM

Alright. For raw your should use _raw ie

 index=MRM eventtype=MRM_ERROR |eval Description=case(like(_raw, "%error1%"),"error1",like(_raw, "%error2%"),"error2") | chart count by Description

Ideally if the field is not available , you should extract the field using field extraction techniques in splunk

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

tkasim
New Member
‎01-12-2016 08:24 PM

Thank you so much.

My plan is to turn the most frequent errors into fields. The above is a great starting point. Thanks for the links, just what I needed 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...